An Android trojan that started out as an open-source project has been updated to allow hackers to gain access to virtually all data on infected devices.
Silent installation, shell command execution and the collection of credentials, Wi-Fi passwords and screenshots are just some of the capabilities of AndroRAT, which exploits CVE-2015-1805, a Linux kernel vulnerability that was publicly disclosed in 2016.
While newer Android devices can be patched against attacks exploiting the vulnerability, Google’s lack of support for older devices means many remain vulnerable to attacks designed to gain additional privileges on the phone.
The new variant of AndroRAT is disguised as an app called ‘TrashCleaner’
The new variant of AndroRAT is disguised as an app called ‘TrashCleaner’ and researchers at Trend Micro say it’s distributed via a malicious URL — indicating that this threat comes from third-party download sites or phishing attacks.
“There is a good chance the URL could have been delivered through an ‘in-app’ advertisement in another app such as a popular game,” Bharat Mistry, principal security strategist at Trend Micro told ZDNet.
“Spear phishing campaign through email could also be a viable vector, as most people are using their mobile devices email.”
If downloaded and installed, TrashCleaner will then prompt the Android device to install a Chinese-labelled calculator app with a logo which looks similar to the standard Android calculator.
At the same time, the TrashCleaner icon is removed from the UI of the infected device and the RAT is activated in the background. It appears that the attackers are relying on users not being suspicious of an app they’ve just downloaded installing an additional app then disappearing.
AndroRAT is controlled by a remote server
Once active on a device, AndroRAT is controlled by a remote server, which can perform a wide variety of different actions by activating the embedded root exploit to execute privileged actions.
As a result, AndroRAT is able to record audio, take photos, monitor communications, see the GPS location of the device, steal Wi-Fi names connected to the device and more.
The new version of the malware also comes with additional capabilities, allowing attackers to see all applications installed on the device.
It can also steal browser history from pre-installed browsers, record calls, take photos with the front-facing camera, upload additional files to the device, capture screenshots, abuse accessibility service for the purposes of keylogging and execute shell commands.
AndroRAT — which has been active since 2012
AndroRAT — which has been active since 2012 — ultimately compromises the entire device, allowing attackers to see and steal practically every piece of information about the user, massively compromising their privacy, while also putting them at risk of further attacks.
Google did issue a patch for CVE-2015-1805 in March 2016, but those using older devices remain vulnerable.
Android users running KitKat, Jelly Bean, Ice Cream Sandwich or Gingerbread generally no longer receive new updates, but still account for almost one-fifth of Android’s two billion users, meaning they likely remain vulnerable to AndroRAT attacks.
“The malware has the potential to be far reaching as it seems to attack older devices which either haven’t been patched or the device manufacturer has stopped supporting updates,” said Mistry.
Those initially behind AndroRAT didn’t intend for it to be used in a malicious way
Those initially behind AndroRAT didn’t intend for it to be used in a malicious way, but it was an open-source university project investigating how to provide remote access to the Android system. Unfortunately, cybercriminals later exploited these tools for malicious means.
Users can ensure they don’t fall victim to threats like AndroRat by not downloading apps from third-party app stores — and keeping their device patched.
“From an end-user point of view it means that additional security controls are required on the device, such as anti-malware and applications that look up reputation of sites that are accessed from the phone and applications that are being downloaded,” said Mistry.
Google says the malicious TrashCleaner app was never on Google Play and that any device updated after April 2016 isn’t vulnerable to AndroRAT.